Understanding wp-config.php
Learning Objectives
- Master all wp-config.php settings and options
- Understand database configuration and optimization
- Implement security best practices
- Configure debugging and development settings
- Learn advanced configuration techniques
- Create environment-specific configurations
Introduction
The wp-config.php file is the heart of your WordPress configuration. It controls database connections, security settings, debugging options, and much more. Understanding this file is crucial for WordPress development and maintenance.
Critical File
wp-config.php contains sensitive information like database passwords. Never commit this file to public repositories with real credentials.
Configuration Hierarchy
graph TD
A[wp-config.php Location] --> B{Root Directory?}
B -->|Yes| C[Load wp-config.php]
B -->|No| D{One Level Up?}
D -->|Yes| E[Load ../wp-config.php]
D -->|No| F[Use wp-config-sample.php]
C --> G[Database Settings]
C --> H[Security Keys]
C --> I[WordPress Settings]
C --> J[Custom Constants]
G --> K[Connect to MySQL]
H --> L[Secure Sessions]
I --> M[Configure WordPress]
J --> N[Custom Functionality]
style A fill:#0073aa,color:#fff
style C fill:#21759b,color:#fff
style K fill:#46b450,color:#fff
Essential Database Configuration
Basic Database Settings
<?php
/**
* WordPress Database Configuration
* These settings connect WordPress to your MySQL database
*/
// Database name
define( 'DB_NAME', 'wordpress_db' );
// Database username
define( 'DB_USER', 'wp_user' );
// Database password
define( 'DB_PASSWORD', 'strong_password_here' );
// Database host (usually 'localhost')
define( 'DB_HOST', 'localhost' );
// Database charset (don't change unless necessary)
define( 'DB_CHARSET', 'utf8mb4' );
// Database collation (leave empty for default)
define( 'DB_COLLATE', '' );
/**
* Advanced Database Settings
*/
// Use persistent connections (can improve performance)
define( 'WP_USE_PERSISTENT_CONNECTIONS', true );
// Custom database port (if not using default 3306)
define( 'DB_HOST', 'localhost:3307' );
// Socket connection for local development
define( 'DB_HOST', 'localhost:/tmp/mysql.sock' );
// Remote database with custom port
define( 'DB_HOST', 'mysql.example.com:3306' );
// Database error suppression (only for production)
define( 'WP_SUPPRESS_DB_ERRORS', true );Database Configuration Visualization
Security Keys and Salts
Authentication Keys Configuration
<?php
/**
* Authentication Unique Keys and Salts
*
* Generate new keys at: https://api.wordpress.org/secret-key/1.1/salt/
* These make your site more secure by adding random elements to passwords
*/
define( 'AUTH_KEY', 'put your unique phrase here' );
define( 'SECURE_AUTH_KEY', 'put your unique phrase here' );
define( 'LOGGED_IN_KEY', 'put your unique phrase here' );
define( 'NONCE_KEY', 'put your unique phrase here' );
define( 'AUTH_SALT', 'put your unique phrase here' );
define( 'SECURE_AUTH_SALT', 'put your unique phrase here' );
define( 'LOGGED_IN_SALT', 'put your unique phrase here' );
define( 'NONCE_SALT', 'put your unique phrase here' );
/**
* Example with actual secure keys (generate your own!)
*/
define('AUTH_KEY', '7T~W#4I/F+KpF-Yv-e+PTR%)p30@]b7$FW,+e,+#mIT+rzD');
define('SECURE_AUTH_KEY', 'L$P<Q!||dIIg(+02wsJ7H;9E9!LJ6#8iE+KH5+p+CSJP%');
define('LOGGED_IN_KEY', 'ak5_sT+z4f-ejv#&ED&[sSecurity Warning
Never use the default keys. Always generate unique keys for each WordPress installation. Changing keys will log out all users.
WordPress Configuration Settings
Table Prefix
<?php
/**
* WordPress Database Table prefix
* Change this to improve security (before installation)
*/
$table_prefix = 'wp_'; // Default
// Better security through obscurity
$table_prefix = 'wpx7k9_'; // Random prefix
// Multiple sites in same database
$table_prefix = 'site1_'; // For first site
$table_prefix = 'site2_'; // For second siteWordPress URLs and Paths
<?php
/**
* WordPress URL Settings
* Define site URL and home URL (optional, can boost performance)
*/
// Site URL (where WordPress files are)
define( 'WP_SITEURL', 'https://example.com' );
// Home URL (site homepage)
define( 'WP_HOME', 'https://example.com' );
// Force SSL for admin and logins
define( 'FORCE_SSL_ADMIN', true );
define( 'FORCE_SSL_LOGIN', true ); // Deprecated, use FORCE_SSL_ADMIN
// Custom content directory (advanced)
define( 'WP_CONTENT_DIR', dirname(__FILE__) . '/content' );
define( 'WP_CONTENT_URL', 'https://example.com/content' );
// Custom plugins directory
define( 'WP_PLUGIN_DIR', dirname(__FILE__) . '/plugins' );
define( 'WP_PLUGIN_URL', 'https://example.com/plugins' );
// Custom uploads directory
define( 'UPLOADS', 'wp-content/media' );
// Move wp-content outside web root (security)
define( 'WP_CONTENT_DIR', '/home/user/content' );
define( 'WP_CONTENT_URL', 'https://static.example.com' );Debug Configuration
Development Debug Settings
<?php
/**
* Debug Mode Configuration
* Essential for development, disable in production
*/
// Basic debug mode
define( 'WP_DEBUG', true );
// Debug logging to wp-content/debug.log
define( 'WP_DEBUG_LOG', true );
// Display errors on screen (dev only!)
define( 'WP_DEBUG_DISPLAY', true );
// Use development versions of core JS and CSS files
define( 'SCRIPT_DEBUG', true );
// Log database queries for analysis
define( 'SAVEQUERIES', true );
/**
* Complete Development Configuration
*/
if ( defined( 'WP_ENV' ) && WP_ENV === 'development' ) {
define( 'WP_DEBUG', true );
define( 'WP_DEBUG_LOG', true );
define( 'WP_DEBUG_DISPLAY', true );
define( 'SCRIPT_DEBUG', true );
define( 'SAVEQUERIES', true );
// Disable caching
define( 'WP_CACHE', false );
// Show admin bar
define( 'WP_ADMIN_BAR', true );
// Enable error reporting
@ini_set( 'display_errors', 1 );
@ini_set( 'log_errors', 1 );
@ini_set( 'error_log', WP_CONTENT_DIR . '/debug.log' );
}
/**
* Production Configuration
*/
if ( defined( 'WP_ENV' ) && WP_ENV === 'production' ) {
define( 'WP_DEBUG', false );
define( 'WP_DEBUG_LOG', false );
define( 'WP_DEBUG_DISPLAY', false );
define( 'SCRIPT_DEBUG', false );
define( 'SAVEQUERIES', false );
// Enable caching
define( 'WP_CACHE', true );
// Disable file editing
define( 'DISALLOW_FILE_EDIT', true );
define( 'DISALLOW_FILE_MODS', true );
// Hide errors
@ini_set( 'display_errors', 0 );
}Debug Configuration Comparison
Performance Optimization
Memory and Limits
<?php
/**
* Performance and Memory Settings
*/
// Increase PHP memory limit for WordPress
define( 'WP_MEMORY_LIMIT', '256M' );
// Increase memory limit for admin area
define( 'WP_MAX_MEMORY_LIMIT', '512M' );
// Post revisions (limit to save database space)
define( 'WP_POST_REVISIONS', 5 ); // Keep only 5 revisions
// define( 'WP_POST_REVISIONS', false ); // Disable revisions
// Autosave interval (default is 60 seconds)
define( 'AUTOSAVE_INTERVAL', 120 ); // 2 minutes
// Empty trash automatically
define( 'EMPTY_TRASH_DAYS', 7 ); // 7 days
// define( 'EMPTY_TRASH_DAYS', 0 ); // Disable trash
// Optimize database by removing overhead
define( 'WP_ALLOW_REPAIR', true ); // Access: example.com/wp-admin/maint/repair.php
// Cache
define( 'WP_CACHE', true ); // Enable cache plugins
// Compression
define( 'COMPRESS_CSS', true );
define( 'COMPRESS_SCRIPTS', true );
define( 'CONCATENATE_SCRIPTS', true );
define( 'ENFORCE_GZIP', true );Security Hardening
Security Constants
<?php
/**
* Security Configuration
*/
// Disable file editing in admin
define( 'DISALLOW_FILE_EDIT', true );
// Disable plugin and theme updates and installs
define( 'DISALLOW_FILE_MODS', true );
// Disable unfiltered HTML for admins and editors
define( 'DISALLOW_UNFILTERED_HTML', true );
// Force file permissions
define( 'FS_CHMOD_DIR', ( 0755 & ~ umask() ) );
define( 'FS_CHMOD_FILE', ( 0644 & ~ umask() ) );
// Block external requests
define( 'WP_HTTP_BLOCK_EXTERNAL', true );
define( 'WP_ACCESSIBLE_HOSTS', 'api.wordpress.org,*.github.com' );
// Cookie settings
define( 'COOKIE_DOMAIN', '.example.com' );
define( 'COOKIEPATH', '/' );
define( 'SITECOOKIEPATH', '/' );
// Admin cookie path
define( 'ADMIN_COOKIE_PATH', '/wp-admin' );
// Disable WordPress auto updates
define( 'AUTOMATIC_UPDATER_DISABLED', true );
// Or configure specific auto updates
define( 'WP_AUTO_UPDATE_CORE', false ); // true, false, or 'minor'
// FTP/SSH Constants for updates
define( 'FTP_USER', 'username' );
define( 'FTP_PASS', 'password' );
define( 'FTP_HOST', 'ftp.example.com' );
define( 'FTP_SSL', false );
// Override file permissions check
define( 'FS_METHOD', 'direct' );Security Best Practices
- Always use strong, unique security keys
- Change the default table prefix before installation
- Disable file editing in production
- Limit post revisions to save database space
- Use HTTPS and force SSL for admin
- Implement proper file permissions
- Consider moving wp-config.php one directory above web root
- Never commit real credentials to version control
Multisite Configuration
Multisite Network Settings
<?php
/**
* WordPress Multisite Configuration
*/
// Enable Multisite
define( 'WP_ALLOW_MULTISITE', true );
// After network setup, add these:
define( 'MULTISITE', true );
define( 'SUBDOMAIN_INSTALL', false ); // true for subdomains, false for subdirectories
define( 'DOMAIN_CURRENT_SITE', 'example.com' );
define( 'PATH_CURRENT_SITE', '/' );
define( 'SITE_ID_CURRENT_SITE', 1 );
define( 'BLOG_ID_CURRENT_SITE', 1 );
// Network admin email
define( 'NETWORK_ADMIN_EMAIL', 'admin@example.com' );
// Sunrise for domain mapping
define( 'SUNRISE', true );
// Cookie settings for multisite
define( 'COOKIE_DOMAIN', '' ); // Important: leave empty for multisite
// Upload settings
define( 'UPLOADBLOGSDIR', 'wp-content/blogs.dir' );
define( 'UPLOADS', 'files' );
// Multisite file upload limits
define( 'WP_NETWORK_MAX_UPLOAD_FILE_SIZE', 5242880 ); // 5MB
define( 'WP_NETWORK_SITE_UPLOAD_SPACE', 104857600 ); // 100MB per siteEnvironment-Specific Configuration
Dynamic Configuration Based on Environment
<?php
/**
* Environment-based Configuration
* Adapt settings based on server environment
*/
// Method 1: Using server hostname
$host = $_SERVER['HTTP_HOST'] ?? 'localhost';
switch ( $host ) {
case 'localhost':
case 'dev.example.com':
// Development settings
define( 'WP_ENV', 'development' );
define( 'WP_DEBUG', true );
define( 'WP_DEBUG_LOG', true );
define( 'WP_DEBUG_DISPLAY', true );
define( 'DB_NAME', 'wordpress_dev' );
define( 'DB_USER', 'root' );
define( 'DB_PASSWORD', '' );
define( 'DB_HOST', 'localhost' );
break;
case 'staging.example.com':
// Staging settings
define( 'WP_ENV', 'staging' );
define( 'WP_DEBUG', true );
define( 'WP_DEBUG_LOG', true );
define( 'WP_DEBUG_DISPLAY', false );
define( 'DB_NAME', 'wordpress_staging' );
define( 'DB_USER', 'staging_user' );
define( 'DB_PASSWORD', 'staging_pass' );
define( 'DB_HOST', 'localhost' );
break;
case 'example.com':
case 'www.example.com':
// Production settings
define( 'WP_ENV', 'production' );
define( 'WP_DEBUG', false );
define( 'WP_DEBUG_LOG', false );
define( 'WP_DEBUG_DISPLAY', false );
define( 'DB_NAME', 'wordpress_prod' );
define( 'DB_USER', 'prod_user' );
define( 'DB_PASSWORD', 'secure_password' );
define( 'DB_HOST', 'localhost' );
break;
default:
die( 'Unknown environment' );
}
// Method 2: Using environment variables (.env file)
if ( file_exists( dirname( __FILE__ ) . '/.env' ) ) {
$env = parse_ini_file( dirname( __FILE__ ) . '/.env' );
define( 'DB_NAME', $env['DB_NAME'] );
define( 'DB_USER', $env['DB_USER'] );
define( 'DB_PASSWORD', $env['DB_PASSWORD'] );
define( 'DB_HOST', $env['DB_HOST'] );
define( 'WP_DEBUG', $env['WP_DEBUG'] === 'true' );
}
// Method 3: Using separate config files
$env = getenv( 'WP_ENV' ) ?: 'development';
$config_file = dirname( __FILE__ ) . "/wp-config-{$env}.php";
if ( file_exists( $config_file ) ) {
require_once $config_file;
} else {
die( "Configuration file for {$env} not found" );
}Custom Constants
API and Integration Settings
<?php
/**
* Custom Constants for Your Application
*/
// API Keys
define( 'GOOGLE_MAPS_API_KEY', 'your-api-key-here' );
define( 'MAILCHIMP_API_KEY', 'your-mailchimp-key' );
define( 'STRIPE_PUBLIC_KEY', 'pk_test_123456' );
define( 'STRIPE_SECRET_KEY', 'sk_test_123456' );
// Custom paths
define( 'CUSTOM_UPLOAD_DIR', '/var/www/uploads' );
define( 'CDN_URL', 'https://cdn.example.com' );
define( 'STATIC_ASSETS_URL', 'https://static.example.com' );
// Feature flags
define( 'ENABLE_BETA_FEATURES', false );
define( 'MAINTENANCE_MODE', false );
define( 'ENABLE_CACHE', true );
// Email settings
define( 'SMTP_HOST', 'smtp.gmail.com' );
define( 'SMTP_PORT', 587 );
define( 'SMTP_USER', 'user@example.com' );
define( 'SMTP_PASS', 'password' );
define( 'SMTP_FROM', 'noreply@example.com' );
define( 'SMTP_FROMNAME', 'Example Site' );
// Custom application settings
define( 'APP_VERSION', '1.0.0' );
define( 'APP_ENVIRONMENT', 'production' );
define( 'ENABLE_ANALYTICS', true );
define( 'GA_TRACKING_ID', 'UA-123456-1' );Complete Production wp-config.php Example
<?php
/**
* Production WordPress Configuration
*
* This is a complete, secure wp-config.php for production use
*/
// ** Environment Detection ** //
define( 'WP_ENV', 'production' );
// ** MySQL settings ** //
define( 'DB_NAME', getenv('DB_NAME') ?: 'wordpress_prod' );
define( 'DB_USER', getenv('DB_USER') ?: 'wp_user' );
define( 'DB_PASSWORD', getenv('DB_PASSWORD') ?: 'secure_password_here' );
define( 'DB_HOST', getenv('DB_HOST') ?: 'localhost' );
define( 'DB_CHARSET', 'utf8mb4' );
define( 'DB_COLLATE', '' );
// ** Authentication Keys and Salts ** //
define('AUTH_KEY', 'GENERATE-YOUR-OWN-UNIQUE-KEYS-HERE');
define('SECURE_AUTH_KEY', 'GENERATE-YOUR-OWN-UNIQUE-KEYS-HERE');
define('LOGGED_IN_KEY', 'GENERATE-YOUR-OWN-UNIQUE-KEYS-HERE');
define('NONCE_KEY', 'GENERATE-YOUR-OWN-UNIQUE-KEYS-HERE');
define('AUTH_SALT', 'GENERATE-YOUR-OWN-UNIQUE-KEYS-HERE');
define('SECURE_AUTH_SALT', 'GENERATE-YOUR-OWN-UNIQUE-KEYS-HERE');
define('LOGGED_IN_SALT', 'GENERATE-YOUR-OWN-UNIQUE-KEYS-HERE');
define('NONCE_SALT', 'GENERATE-YOUR-OWN-UNIQUE-KEYS-HERE');
// ** Table prefix ** //
$table_prefix = 'wpx7_';
// ** URLs ** //
define( 'WP_HOME', 'https://example.com' );
define( 'WP_SITEURL', 'https://example.com' );
// ** SSL ** //
define( 'FORCE_SSL_ADMIN', true );
// ** Debug mode (disabled for production) ** //
define( 'WP_DEBUG', false );
define( 'WP_DEBUG_LOG', false );
define( 'WP_DEBUG_DISPLAY', false );
define( 'SCRIPT_DEBUG', false );
// ** Performance ** //
define( 'WP_CACHE', true );
define( 'WP_MEMORY_LIMIT', '256M' );
define( 'WP_MAX_MEMORY_LIMIT', '512M' );
define( 'WP_POST_REVISIONS', 5 );
define( 'AUTOSAVE_INTERVAL', 300 );
define( 'EMPTY_TRASH_DAYS', 30 );
// ** Security ** //
define( 'DISALLOW_FILE_EDIT', true );
define( 'DISALLOW_FILE_MODS', true );
define( 'WP_AUTO_UPDATE_CORE', 'minor' );
// ** Cron ** //
define( 'DISABLE_WP_CRON', true ); // Use system cron instead
define( 'ALTERNATE_WP_CRON', false );
// ** File permissions ** //
define( 'FS_METHOD', 'direct' );
define( 'FS_CHMOD_DIR', ( 0755 & ~ umask() ) );
define( 'FS_CHMOD_FILE', ( 0644 & ~ umask() ) );
// ** Content Directory (optional custom location) ** //
// define( 'WP_CONTENT_DIR', dirname(__FILE__) . '/content' );
// define( 'WP_CONTENT_URL', 'https://example.com/content' );
// ** That's all, stop editing! ** //
/** Absolute path to the WordPress directory. */
if ( ! defined( 'ABSPATH' ) ) {
define( 'ABSPATH', dirname( __FILE__ ) . '/' );
}
/** Sets up WordPress vars and included files. */
require_once( ABSPATH . 'wp-settings.php' );Practice Exercise
Configure wp-config.php for different scenarios:
Configuration Practice
- Create three wp-config files:
- wp-config-dev.php (development)
- wp-config-staging.php (staging)
- wp-config-prod.php (production)
- Configure appropriate debug settings for each
- Generate unique security keys for each
- Set memory limits based on environment
- Add custom constants for your project
- Test switching between configurations
- Create a .env.example file for team sharing
Practice Assignment
Master wp-config.php configuration:
- Create a comprehensive wp-config.php with all security best practices
- Document each setting with comments explaining its purpose
- Implement environment detection using at least two methods
- Configure debug logging and test it works properly
- Set up custom constants for a hypothetical project
- Create a script to generate secure keys automatically
- Write a security audit checklist for wp-config.php
- Test different memory limit settings and document the effects